INFORMATION SECURITY POLICY COMPLIANCE: AN EMPIRICAL STUDY OF RATIONALITY-BASED BELIEFS AND INFORMATION SECURITY AWARENESS.

Author List: Bulgurcu, Burcu; Cavusoglu, Hasan; Benbasat, Izak;

MIS Quarterly, 2010, Volume 34, Issue 3, Page 523-A7.

This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.

Keywords: behavioral issues of information security; compliance; information security management; information security policy; theory of planned behavior

Algorithm:

List of Topics

#186	0.400	security information compliance policy organizations breach disclosure policies deterrence breaches incidents results study abuse managed isp violations based comply protection
#153	0.203	usage use self-efficacy social factors individual findings influence organizations beliefs individuals support anxiety technology workplace key outcome behavior contextual longitudinal
#140	0.089	model use theory technology intention information attitude acceptance behavioral behavior intentions research understanding systems continuance models planned percent attitudes predict
#213	0.079	assimilation beliefs belief confirmation aggregation initial investigate observed robust particular comparative circumstances aggregated tendency factors examine stages uncertainty instead confidence
#161	0.065	role relationship positively light important understanding related moderating frequency intensity play stronger shed contribution past considered maintenance effort effect specifically
#274	0.054	outsourcing transaction cost partnership information economics relationships outsource large-scale contracts specificity perspective decisions long-term develop requirements economic association factors hypotheses